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Random beacons — information sources that broadcast a stream of random digits unknown by 
anyone beforehand — are useful for various cryptographic purposes. But such beacons can be easily 
and undetectably sabotaged, so that their output is known beforehand by a dishonest party, who 
can use this information to defeat the cryptographic protocols supposedly protected by the beacon. 
We explore a strategy to reduce this hazard by combining the outputs from several noninteracting 
(eg spacelike-separated) beacons by XORing them together to produce a single digit stream which 
is more trustworthy than any individual beacon, being random and unpredictable if at least one 
of the contributing beacons is honest. If the contributing beacons are not spacelike separated, so 
that a dishonest beacon can overhear and adapt to earlier outputs of other beacons, the beacons' 
trustworthiness can still be enhanced to a lesser extent by a time sharing strategy. We point out 
some disadvantages of alternative trust amplification methods based on one-way hash functions. 
A. Introduction 



In cryptography and distributed computing, a ran- 
dom beacon is a trusted information source (eg a radio 
transmitter) that periodically broadcasts a random signal 
which is unknown to anyone before the time of broad- 
cast but becomes known to everyone thereafter. Bea- 
cons were originally proposed by Rabin j|] to facilitate 
remote transactions such as contract signing. Bennett, 
DiVincenzo and Linsker [|j (cf. Fig. 1) proposed using a 
trusted random beacon to help authenticate video record- 
ings, made by untrusted recording apparatus operated 
by untrusted personnel, against falsification of the time 
or content (see Figure 1). These two applications re- 
quire only a low information rate (eg kHz), and assume 
that the history of previously emitted signals becomes 
a matter of public record, being stored at the beacon 
and/or other independent locations to help resolve dis- 
putes. More recently, Aumann and Rabin ||^ have pro- 
posed using a much higher bandwidth beacon (eg GHz to 
THz) to permit informationally secure encryption. The 
security of this scheme depends on the beacon's informa- 
tion rate being so great that no one can feasibly store the 
history of its previously emitted signals. 

The Achilles' heel of beacons is the need for users to 
trust that they have not been sabotaged. A dishonest 
beacon operator can intentionally substitute pseudoran- 
dom digits, or true random digits generated much earlier 
and leaked to accomplices, for the supposedly fresh ran- 
dom digits being emitted by the beacon. Even if the 
operator is honest, a dishonest hardware supplier could 
have concealed a tiny clandestine pseudorandom gen- 
erator (PSRG) in the supposed true random generator 
(TRG) hardware used by the beacon, causing the hard- 
ware's output to be largely predictable. To avoid de- 
tection, such a hardware saboteur should not make the 
output wholly deterministic, because this would lead to 
the sabotaged generator issuing the same digit stream 
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FIG. 1. Time-bracketed video authentication uses periodic 
"challenge" signals from a trusted random source to influ- 
ence the scene being recorded (e.g. by a challenge-controlled 
laser scan), and shortly thereafter returns a hashed digest of 
the scene, including the effect of the challenge, to a trusted 
repository. The digests are produced by applying a secure 
hash function h to the current digital image data). The time 
bracketing prevents pre- or post-dating, and provides evidence 
that the action actually took place, as opposed to having been 
computationally simulated in real time or assembled from 
prerecorded material. Dishonest personnel can destroy the 
videotape, or can prevent it from being recorded in the first 
place, but so long as the beacon and repository remain hon- 
est, they cannot easily produce a faked video that will match 
the archived digests. 

every time it was turned on. Rather the sabotaged gen- 
erator might take its first few hundred digits from the 
TRG, then use these as a seed for the concealed PSRG 
to generate the rest of the sequence deterministically. An 
accomplice, knowing the nature of the sabotage, could 
then monitor the first few hundred digits of beacon out- 
put and use these to predict all the rest. To help ac- 
complices who had missed the initial beacon output, the 
saboteur could use a steganographic reseeding strategy, 
for example whenever a particular random 40-bit string 



appeared in the beacon output, it would signal that the 
next 200 bits were not pseudorandom, but true random 
bits being used to reseed the concealed PSRG. 

One might hope that these various sabotages, at least 
the ones involving pseudorandom generators, could be 
detected by post-facto analysis of the corrupted digit 
stream; but this hope is probably vain, as it is widely 
believed that there exist "cryptographically strong" pseu- 
dorandom generators which, when seeded with a random 
n-bit seed, produce an output stream that cannot be dis- 
tinguished from true random digits in time polynomial 
in n. 

In view of the ease of sabotaging beacons and the dif- 
ficulty of detecting that they have been sabotaged, the 
main hope for beacon users would appear to lie in pro- 
tocols that amplify trust by combining the outputs of 
several spatially and administratively separated beacons, 
in the reasonable expectation that they only a few of 
them have been sabotaged. Henceforth we will consider 
a set of n nominally but not exactly synchronized bea- 
cons Bi...Bn, each of which emits digits from an £ letter 
alphabet at regular intervals. Some beacons are are hon- 
est and some dishonest (sabotaged) , and we assume that 
the dishonest subset does not change with time. We will 
consider protocols for trust amplification by users who 
have access to the outputs of all the beacons. 

An important consideration is whether the user, who 
combines the output of several beacons to produce some 
resultant sequence, is honest or dishonest. These two 
premises are profoundly different, and give rise to quite 
different protocols. An honest user strives to produce a 
resultant sequence that is random and unpredictable by 
accomplices of the dishonest beacons, despite not know- 
ing which these are. A dishonest user, by contrast, knows 
the identities of the dishonest beacons, and conspires 
with them to produce a predictable resultant sequence, 
despite the unpredictability of the outputs of the honest 
beacons. A dishonest-user protocol is considered suc- 
cessful if it defeats this conspiracy, forcing the resultant 
sequence to be unpredictable even though the dishonest 
user is trying to make it predictable. This is the relevant 
premise for time-bracketed video authentication, whose 
goal is to prevent a potentially dishonest camera manu- 
facturer and operator from producing a video that has 
been undetectably falsified as to its time or content. 

One might ask why an honest user needs any beacon 
at all: if he is assumed to be honest, why can't he gen- 
erate his own random numbers, in effect being a beacon 
unto himself? One possible answer is that he may lack 
the physical capacity to produce random numbers, or to 
produce them as fast as he desires, without drawing on 
external sources of randomness. In passing we note that 
an honest user, having a low-rate random source in his 
own lab, can use an extractor (cf . Q , to distill certifiably 
unpredictable high-rate random numbers from the low- 
rate private source and a collection of high-rate random 
beacons, only some of which are honest. 

The remainder of this paper will concern dishonest- 



user protocols of the kind relevant for beacons to be used 
in time-bracketed authentication. 

Vazirani considered the related problem of devising 
protocols to extract nearly unbiased random bits from 
two beacons, both dishonest and colluding, but neither 
entirely controllable by its operator. Here, by contrast, 
we have some beacons that are entirely controllable by 
colluding dishonest operators, and others that are en- 
tirely random and honest, but the designer of the proto- 
col doesn't know which. 



B. Trust amplification for beacons that are spacelilce 
separated or otherwise known to be incapable of 
influencing one another 

Trust amplification works best when the beacons are 
known to be incapable of influencing one another, so the 
dishonest beacons cannot adapt their output to that of 
the honest ones. This will be assured if the beacons' 
emissions are so well synchronized, compared to the dis- 
tance between them, as to be spacelike separated in the 
sense of special relativity. Two beacons, say Bi and B2, 
are said to be spacelike separated when for all integer i 
the spacetime event £{i,Bi) occurs at a spacelike inter- 
val from the spacetime event £{i,B2)] in other words, a 
light signal starting at beacon Bi at the instant when it 
emits its i'th digit Bi(i) will not have arrived at beacon 
B2 by the time beacon B2 emits its z'th digit B2{i), and 
similarly with the indices 2 and 1 reversed. Under these 
conditions, it is evident that the XOR (or more generally 
the mod-^ sum 0, for an ^-letter alphabet) of the two 
beacons, ie the digit stream Bi{i) B2{i), will be ran- 
dom iff at least one of constituent beacons is random. ^ 

For a beacon to be trustworthy, its output must not 
only be random, but also unpredictable before the time 
it is supposed to become public. In general the informa- 
tion from any given beacon does not become available 
to everyone simultaneously, owing to propagation delays, 
which can never be less than the distance of the observer 
from the beacon divided by the velocity of light c. For 
example, in the case of two synchronized honest beacons 
separated by distance d, an observer midway between the 
beacons would learn Bi{i) and B2(i), and could compute 
RxoR{i)i at a time d/2v after the emission time of the 
i'th digit, where w < c is the signal propagation velocity. 
An observer at either beacon would have to wait a little 



*Even without spacelike separation, noninteraction can 
sometimes be assured, with lesser confidence, by shielding 
or isolating each potentially dishonest beacon well enough to 
block significant incoming signals from the honest beacons. 
However, unless otherwise noted, we will henceforth assume 
that the beacons are not shielded or isolated, and that unless 
two beacons are spacelike separated the later one, if dishonest, 
can overhear and adapt to the signals of the earlier one. 



longer, until time d/v, to obtain the signal from the other 
beacon. These considerations may be smiimarized in the 
following proposition, whose proof is obvious: 

If Bi...Bn is a set of spacelike separated beacons, at 
least one of which is honest, 

1. the modular sum 

n 

i?xoflW-0Sfc« (1) 

fc=l 

is random, 

2. RxOR{i) is unpredictable from the viewpoint of 
any observer outside the intersection of the forward 
light cones of the honest subset of beacons. 

3. assuming that signals propagate at light speed, 
Rxonii) can be correctly calculated by any ob- 
server inside the intersection of the forward light 
cones of all the beacons. 

The principal effect of dishonesty is thus to create a 
region of spacetime within which Rxor{'^) is predictable 
to accomplices of the dishonest beacons, but not to the 
general public. This region consists of points within the 
forward light cone of every honest beacon, but outside 
the forward light cone of at least one dishonest beacon. 

C. Trust amplification for beacons that are timelike 
separated or otherwise suspected of influencing one 
another 

Within any nominally synchronized set of beacons 
there may be enough timing error that the beacons are 
not in fact spacelike separated. Lack of spacelike sepa- 
ration can seriously impair the trustworthiness of the re- 
sultant sequence RxoRii), making it untrustworthy over 
all spacetime, not just in a limited region. For exam- 
ple, suppose that beacon Bi is so late that it has all 
the other beacons in its past light cone. Then, if Bi is 
sabotaged, it can adapt its output Bi{i) so as to force 
the resultant RxoR{i) not to be random, but to take on 
a predetermined value, perhaps chosen long beforehand. 
Thus the accomplices of the dishonest beacon potentially 
know RxOR.{i) wherever they sit in spacetime, while hon- 
est players, as before, will only know RxoR.{i) if they sit 
within the intersection of the future light cones of all the 
beacons, which in this case is simply the future light cone 
of Bx. 

In the worst case, where one beacon is consistently so 
late as to have all the others in its past light cone, the 
XOR of all the beacons is no more trustworthy than the 
single latest beacon taken by itself. However, one can still 
gain some increased trust by combining the beacons in a 
different fashion, which we call the time-sharing protocol. 
Here the resultant is defined to be a cyclicly chosen one 



of the original beacons, 

il'Ts(j) =S,,„od„(«)- (2) 

If some of the beacons are honest and some dishonest, 
then some digits of the resultant sequence Rts will be 
predictable by accomplices of the dishonest beacons and 
others will be unpredictable. The resultant sequence is 
thus sure to be partly unpredictable, while the sequence 
from any individual beacon, or the XOR of all of them, 
has some chance of being wholly predictable. For pur- 
poses such as time-bracketed authentication ||^, a se- 
quence that is sure to be at least partly unpredictable 
is still usable, though not as good as a wholly unpre- 
dictable sequence; but a sequence that has some chance 
of being be wholly predictable is unusable. 

The sort of uncertain unpredictability relevant to time- 
bracketed authentication can be quantified by the per- 
character min entropy, ie the logarithm of the probabil- 
ity (as seen by the dishonest users) of the most likely 
resultant sequence Rrsii), divided by the length of the 
sequence. If there are n timelike separated beacons, k 
of which at random are sabotaged but we don't know 
which, then the min entropy of Rts is {{n — k)/n)\og£ 
bits per character. On the other hand, each individual 
beacon, say Bi, or the XOR of all the beacons if Bi is 
the latest, has a per-character min entropy approaching 
zero, because BiS min entropy is dominated by the prob- 
ability k/n that it is sabotaged, and so emits a sequence 
that is completely predictable by dishonest users. 

The advantage of using min entropy can be seen by not- 
ing that in this situation the ordinary Shannon entropies 
of Rts and Bi are equal, both being {{n — k)/n) \ogi bits 
per character. Thus min entropy heavily and properly pe- 
nalizes any chance of complete predictability, while Shan- 
non entropy allows it to hide amidst the unpredictability 
of other cases. 

The superiority of spacelike separation, and the advan- 
tage of using the RxoR instead of Rts when the beacons 
are known to be spacelike separated, can be seen by com- 
paring the per character min entropies in various cases. 



beacon separation 


spacelike 


timelike 


XOR protocol 


1 





Time sharing protocol 


{n — k)/n 


(n — k)/n 



Table I. Per character min entropy of resultant sequences 
RxoR and Rts obtained respectively by XOR and time- 
sharing protocols for trust amplification. We assume n bea- 
cons, an unknown k of which are dishonest. Entropies are 
in units of log^, the entropy of an honest beacon emitting 
characters from an ^-letter alphabet. 

In general the resultant sequences RxOR (for spacelike 
separated beacons) or Rts (for any set of beacons) will 
be at least partly unpredictable, and therefore usable for 
purposes such as time bracketed authentication, except 
when all the beacons are dishonest. 



D. Why it is not generally advantageous to combine 
beacons by hashing 

A seemingly attractive alternative to Rxor and Rts 

would be to use a cryptograpliically strong, one-way hash 
function h to combine the beacons, eg 

Rhii) = h{Bx{i),B2{i)...Bn{i)), (3) 

where h is an m-to-1 mapping on characters from an 
letter alphabet; but, as we shall show, Rh has significant 
weaknesses compared to Rxor and Rts- For concrete- 
ness consider the case where there are m = 2 beacons, 
an unknown one of which is dishonest, and where each 
beacon broadcasts letters from an ^ = 2'' letter alphabet, 
so that Rh may be viewed as a pseudorandom mapping 
from a pairs of (Z-bit strings to a single rf-bit string. In the 
following we will use lower case letters x, y etc to denote 
d-bit strings. 

If the two beacons are spacelike separated, or otherwise 
known to be nonintcracting, RxoR will perfectly random 
and unpredictable. By contrast, as we will show, a dis- 
honest beacon operator with a lot of computing power 
(whom we will call Eve) can force Rh to be significantly 
nonrandom, for example forcing its first bit to be almost 
always zero. Assume, without loss of generality, that Eve 
is operating Bi. She then finds, by brute force search, 
some string defined to be any d-hit string x on which 
the set {y : h{x,y) begins with 1} has minimal cardi- 
nality. This minimal cardinality will be of order unity, 
so if Eve always broadcasts as her maliciously chosen 
output from Bi, while the honest beacon B2 broadcasts 
random d-bit strings, the first bit of Rh{x\y) will al- 
most always be 0. Similarly Eve can force the value of 
any other single digit of Rh^ or strongly bias several dig- 
its of her choosing. Under the more realistic assumption 
that Eve has limited computing power, she cannot ap- 
preciably bias Rh, so it is no better and no worse than 
Rxor- 

If the beacons arc timelikc separated, with dishonest 
beacon Bx later so it can overhear honest beacon B2, a 
computationally powerful Eve can force the almost all 
the digits of h to agree with a particular string zo of her 
choosing. To do so, she waits till she has heard the par- 
ticular string y broadcast by B2, then chooses her string 
x^ to be one that minimizes the Hamming distance be- 
tween zq and h{x,y). Often (about 1/e of the time) she 
can obtain an exact hit h{x^,y) = zo; in other case she 
can almost certainly find an x^ for which h{x^ , y) differs 
from the target zo in only one bit. Under the more re- 
alistic assumption of limited computing power, Eve can 
force the values of m ~ several dozen bits of her choos- 
ing in Rh- To do so she waits till she overhears y, then 
proceeds by trial and error, evaluating h{x, y) for 2™ ran- 
dom X values, until she finds one, x* such that the first 
m digits, or any other set of m digits of her choosing in 
Rh{x* , y), have the values she wants. The computational 
effort is exponential in the number of digits she wishes to 



force. For small string lengths d, an Eve with moderate 

computing power can force all the digits of Rh, making 
it totally insecure. For large d, this is no longer possi- 
ble, and Rts and Rh offer two somewhat different kinds 
of partial unpredictability. With Rh such an Eve can 
force a small fraction of the digits in the output stream, 
digits of her choosing, while the others remain unpre- 
dictable. With with Rts Eve can force half the digits 
in the output stream, but has no control over which dig- 
its these are. Depending on the beacon application, one 
or another kind of partial predictability may be prefer- 
able. For time-bracketed authentication, it is probably 
better to use Rts, because a few absolutely uncontrol- 
lable challenges are probably harder for a would-be forger 
to simulate than a greater number of partly-controllable 
challenges. 
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